CN1635747A - Method for solving port scanning and attack rejection in NAT environment - Google Patents
Method for solving port scanning and attack rejection in NAT environment Download PDFInfo
- Publication number
- CN1635747A CN1635747A CN 200310122858 CN200310122858A CN1635747A CN 1635747 A CN1635747 A CN 1635747A CN 200310122858 CN200310122858 CN 200310122858 CN 200310122858 A CN200310122858 A CN 200310122858A CN 1635747 A CN1635747 A CN 1635747A
- Authority
- CN
- China
- Prior art keywords
- main frame
- router
- count
- value
- connection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 10
- 230000000977 initiatory effect Effects 0.000 claims description 3
- 238000006243 chemical reaction Methods 0.000 description 6
- 241000700605 Viruses Species 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This invention refers to a method for terminal scanning and stopping attack, which contains initializing NAPT list, setting a minimum value of permitted connection number for main frame connecting with router, setting the maximum value of permitted connection number for main frame connecting with router, if the value is less than the minimum the router requesting connection, if the value is greater than the maximum the refusing the connection request, if the value is greater than or equal to minimum or less than or equal to maximum the router setting or refusing request of main frame by probability. Said invention can satisfy current NAY flow and reduce DDOS attack.
Description
Technical field
The present invention relates to a kind of method that in router, solves TCP and refuse to attack, relate in particular to a kind of method that under the NAT environment, solves TCP and refusal attack.
Background technology
As everyone knows, because the deficiency of IPv4 address space, IP NAT is adopted in the IEFT suggestion, and (IPNetwork Address Translation RFC2663) solves the not enough problem of IP number of addresses.
But in the NAT environment, router uses a NAPT (Network Address PortTranslation) table to write down the information of NAT bag conversion, this NAPT table has comprised the source IP address (Source IP Address) of main frame, source port number (Source Port Number), purpose IP address (Destination IP Address), destination slogan (Destination Port Number), the address (Global IP Address) that protocol number (Protocol ID) and conversion are later etc.; Because the address after the conversion of NAT when conversion has only 65536 ports in theory, and need address after the IP address of conversion all is to use this conversion, just be mapped to different ports; Therefore, if having a main frame or multiple host to send simultaneously greater than 65536 requests, just router can't be transmitted normal bag for other main frames, the consequence that causes will be to be flooded with a large amount of rubbish bags in the router, and other users can't be by this router online; For example: IP NAT is when routing product is realized, be subjected to the attack of main frame virus easily, attack etc. as TCP and refusal, the NAT table being exhausted and cause router can't be that normal other main frames are transmitted bag, router is submerged in the middle of the bag of port and refusal attack, loses normal function.
Summary of the invention
The technical issues that need to address of the present invention have provided a kind of method that solves TCP and refusal attack under the NAT environment, be intended to solve the attack (as TCP and refusal attack etc.) that is subjected to main frame virus at present, and cause other main frames can not normally transmit the defective of bag.
In order to solve the problems of the technologies described above, the present invention realizes by following steps:
Initialization NAPT table;
The minimum value of setting certain main frame (N) permission connection router number of times is Cmin (n);
The maximum of setting certain main frame (N) permission connection router number of times is Cmax (n);
If certain main frame (N) connects the router number of times less than Cmin (n) value, router connects for the current request of this main frame;
If certain main frame (N) connects the router number of times greater than Cmax (n) value, router is refused the current connection request of this main frame;
If certain main frame (N) connects the router number of times more than or equal to Cmin (n) value, smaller or equal to Cmax (n) value, router is calculated the request of setting up or refusing this main frame by probability.
Compared with prior art, the invention has the beneficial effects as follows: can satisfy the normal discharge in the application of present NAT, and can differentiate the main frame of initiating TCP and refusal attack, guarantee normally passing through of normal bag, prevent TCP and refusal attack, and alleviate DDOS (DistributionDenies of Service) attack.
Embodiment
Below in conjunction with embodiment the present invention is described in further detail:
At first define following parameters:
The current connection number of certain main frame N of CurC (n);
The connection drop probability of certain main frame N of Pa (n);
The temporary variable that certain main frame N calculating probability of Pb (n) uses;
The maximum of Pmax (n) Pa (n);
The last linking number that unaccepted connection is later of certain main frame N of Count (n).
The present invention realizes by following steps:
Initialization NAPT table 1;
The minimum value of setting certain main frame (N) permission connection router number of times is Cmin (n) 2;
The maximum of setting certain main frame (N) permission connection router number of times is Cmax (n) 3;
If certain main frame (N) connects the router number of times less than Cmin (n) value, router connects 4 for the current request of this main frame;
If certain main frame (N) connects the router number of times greater than Cmax (n) value, router is refused the current connection request of this main frame 5;
If certain main frame (N) connects the router number of times more than or equal to Cmin (n) value, smaller or equal to Cmax (n) value, router is calculated the request 6 of setting up or refusing this main frame by probability;
Wherein: step " 1 " realizes by following steps: the source IP address (Source IP Address) that has comprised the main frame of initiating the request connection, source port number (Source Port Number), purpose IP address (Destination IP Address), destination slogan (Destination Port Number), protocol number (Protocol ID), CurC (n) etc.; Set count (n)=0; Set the value of Pmax (n);
Count (n)=-1 in the step " 4 "
Count (n)=0 in the step " 5 "
Step " 6 " realizes by following steps:
count(n)=count(n)+1,
Pb(n)=Pmax(n)*(CurC(n)-Cmin(n))/(Cmax(n)-Cmin(n))
Pa(n)=Pb(n)/(1-count(n)*Pb(n))
Connect count (n)=0 with probability P a (n) refusal;
Perhaps, allow the connection of main frame n to set up with probability 1-Pa (n);
Embodiment 1
Set: Cmin (n)=200, Cmax (n)=800, Pmax (n)=0.2, for a connection request, if current linking number less than 200, then router allows to connect, if current linking number surpasses 800, then router is refused connection request.If current linking number is 201, then carry out following steps:
Suppose count (n)=1
Pb(n)=0.2*(201-200)/(800-200)=0.00033
Pa(n)=0.00033/(1-1*0.00033)=0.00033
So router connects with probability 0.00033 refusal the 201st connection; Perhaps, allow the connection of this main frame N to set up with probability 1-0.00033.
Embodiment 2
Set: Cmin (n)=200, Cmax (n)=800, Pmax (n)=0.2, for a connection request, if current linking number less than 200, then router allows to connect, if current linking number surpasses 800, then router is refused connection request.If current linking number is 751, then carry out following steps,
Suppose count (n)=10
Pb(n)=0.2*(751-200)/(800-200)=0.184
Pa(n)=0.184/(1-10*0.184)=0.22
So router connects with probability 0.22 refusal the 751st connection; Perhaps, allow the connection of this main frame N to set up with probability 1-0.22.
From above embodiment as seen: if current number of connection is between minimum value and the maximum, tell the behavior of our this main frame to be in a critical condition so, at this state, need to calculate a probability P a (n), router sets up or refuses the request of main frame according to this probability P a (n) then:
Connecting number of times between 200 and 800, more near 200, the probability of connection is high more; Near 800, the probability of connection is low more more.
According to the result of statistics, the main frame of normal behaviour sends request at the same time and can not surpass hundreds of times, can avoid single or a small amount of main frame or this single or a small amount of main frame to be subjected to the situation that virus attack takies all resources of router by the present invention; Avoiding the generation of the situation of monopolizing, is the appearance of monopolizing the router resource situation in order to detect, so that make network maintain a state that can both use the most of main frame in inside.
Write down the behavior of every main frame simultaneously, for statistics is carried out basic data acquisition.
Claims (4)
1. one kind solves TCP and the method for refusing to attack under the NAT environment, it is characterized in that: realize by following steps:
Initialization NAPT shows (1);
The minimum value of setting certain main frame (N) permission connection router number of times is Cmin (n) (2);
The maximum of setting certain main frame (N) permission connection router number of times is Cmax (n) (3);
If certain main frame (N) connects the router number of times less than Cmin (n) value, router is the current request of this main frame connect (4);
If certain main frame (N) connects the router number of times greater than Cmax (n) value, router is refused the current connection request of this main frame (5);
If certain main frame (N) connects the router number of times more than or equal to Cmin (n) value, smaller or equal to Cmax (n) value, router is calculated the request (6) of setting up or refusing this main frame by probability.
2. the method that solves TCP and refusal attack under the NAT environment according to claim 1 is characterized in that:
Wherein: step " 1 " realizes by following steps: the source IP address (Source IP Address) that has comprised the main frame of initiating the request connection, source port number (Source Port Number), purpose IP address (Destination IP Address), destination slogan (Destination Port Number), protocol number (Protocol ID), CurC (n) etc.; Set count (n)=0; Set the value of Pmax (n);
Count (n)=-1 in the step " 4 "
Count (n)=0 in the step " 5 "
Step " 6 " realizes by following steps:
count(n)=count(n)+1;
Pb(n)=Pmax(n)*(CurC(n)-Cmin(n))/(Cmax(n)-Cmin(n));
Pa(n)=Pb(n)/(1-count(n)*Pb(n));
More than each parameter be:
The current connection number of certain main frame N of CurC (n);
The connection drop probability of certain main frame N of Pa (n);
The temporary variable that certain main frame N calculating probability of Pb (n) uses;
The maximum of Pmax (n) Pa (n);
The last linking number that unaccepted connection is later of certain main frame N of Count (n).
3. the method that solves TCP and refusal attack under the NAT environment according to claim 2 is characterized in that: set: Cmin (n)=200, and Cmax (n)=800, Pmax (n)=0.2, current linking number are 201, then carry out following steps:
Suppose count (n)=1
Pb(n)=0.2*(201-200)/(800-200)=0.00033
Pa(n)=0.00033/(1-1*0.00033)=0.00033。
4. the method that solves TCP and refusal attack under the NAT environment according to claim 2 is characterized in that: set: Cmin (n)=200, and Cmax (n)=800, Pmax (n)=0.2, current linking number are 751, then carry out following steps,
Suppose count (n)=10
Pb(n)=0.2*(751-200)/(800-200)=0.184
Pa(n)=0.184/(1-10*0.184)=0.22。
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2003101228587A CN100414901C (en) | 2003-12-26 | 2003-12-26 | Method for solving port scanning and attack rejection in NAT environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2003101228587A CN100414901C (en) | 2003-12-26 | 2003-12-26 | Method for solving port scanning and attack rejection in NAT environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1635747A true CN1635747A (en) | 2005-07-06 |
| CN100414901C CN100414901C (en) | 2008-08-27 |
Family
ID=34844651
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2003101228587A Expired - Fee Related CN100414901C (en) | 2003-12-26 | 2003-12-26 | Method for solving port scanning and attack rejection in NAT environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100414901C (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1968147B (en) * | 2006-11-27 | 2010-04-14 | 华为技术有限公司 | Service processing method, network device and service processing system |
| CN105264829A (en) * | 2013-06-06 | 2016-01-20 | 英派尔科技开发有限公司 | Preventing network tomography in software defined datacenter networks |
| CN112187775A (en) * | 2020-09-23 | 2021-01-05 | 北京微步在线科技有限公司 | Port scanning detection method and device |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP3731111B2 (en) * | 2001-02-23 | 2006-01-05 | 三菱電機株式会社 | Intrusion detection device and system and router |
| US7028179B2 (en) * | 2001-07-03 | 2006-04-11 | Intel Corporation | Apparatus and method for secure, automated response to distributed denial of service attacks |
| US20030065943A1 (en) * | 2001-09-28 | 2003-04-03 | Christoph Geis | Method and apparatus for recognizing and reacting to denial of service attacks on a computerized network |
| US7093294B2 (en) * | 2001-10-31 | 2006-08-15 | International Buisiness Machines Corporation | System and method for detecting and controlling a drone implanted in a network attached device such as a computer |
| CN1421771A (en) * | 2001-11-27 | 2003-06-04 | 四川安盟科技有限责任公司 | Guard system to defend network invansion of unkown attack trick effectively |
-
2003
- 2003-12-26 CN CNB2003101228587A patent/CN100414901C/en not_active Expired - Fee Related
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1968147B (en) * | 2006-11-27 | 2010-04-14 | 华为技术有限公司 | Service processing method, network device and service processing system |
| CN105264829A (en) * | 2013-06-06 | 2016-01-20 | 英派尔科技开发有限公司 | Preventing network tomography in software defined datacenter networks |
| CN105264829B (en) * | 2013-06-06 | 2019-03-01 | 英派尔科技开发有限公司 | Method, server, data center, and storage medium for preventing network tomography |
| CN112187775A (en) * | 2020-09-23 | 2021-01-05 | 北京微步在线科技有限公司 | Port scanning detection method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100414901C (en) | 2008-08-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1170401C (en) | Apparatus and method for assigning internet protocol address to network interface card | |
| CN1232081C (en) | Repeating method for multi-broadcast message in network communication | |
| CN101052046A (en) | Anti-virus method and device for fire-proof wall | |
| CN1384639A (en) | Distributed dynamic network security protecting system | |
| CN1406026A (en) | Combined address resolving scheme and combined address route device thereof | |
| CN101043398A (en) | Method and system for sharing connection dynamically | |
| CN1145318C (en) | A Realization Method of Internet Service Provider's Security Protection | |
| CN1272724C (en) | No.7 layer load equalization method based on socket butt joint in kernel | |
| CN1968194A (en) | Method for passing through network address switching | |
| CN1567882A (en) | A method for accessing server group | |
| CN1635747A (en) | Method for solving port scanning and attack rejection in NAT environment | |
| CN1855929A (en) | Method for preventing from wild ARP attacks | |
| CN1232084C (en) | Method for readlizing voice communication between medium gates based on medium gate control protocol | |
| CN1571423A (en) | Method for implementing neighbor discovery of different link layer separated domain | |
| CN1305259C (en) | Method for realizing network management and gateway | |
| CN1949741A (en) | Method for processing data stream between different fire-proof walls | |
| CN1744561A (en) | Super-long message processing method during message conversion process | |
| CN1310481C (en) | Method for realizing application characteristic dual processor backup | |
| CN1917512A (en) | Method for establishing direct connected peer-to-peer channel | |
| CN1852253A (en) | ARP message processing method | |
| CN1767496A (en) | Intelligent selective flow-based data path structure | |
| CN1466335A (en) | A data flow control method in a data access device | |
| CN1863138A (en) | Method for implementing multimedia service NAT transition | |
| CN1204719C (en) | Method for realizing domain name system address convertion applied gateway based on inner server | |
| CN1435969A (en) | Method for implementing supporting virtual local network fire wall |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080827 Termination date: 20121226 |
|
| DD01 | Delivery of document by public notice |
Addressee: Shanghai UTT Technology Co., Ltd.Finance Document name: Notification of Approving Refund |